CVE-2025-2379
Published: 17 March 2025
Description
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Security Summary
CVE-2025-2379 is a critical SQL injection vulnerability (CWE-74, CWE-89) in PHPGurukul Apartment Visitors Management System version 1.0. The flaw affects unknown code in the /create-pass.php file, where manipulation of the 'visname' argument enables SQL injection attacks.
The vulnerability is remotely exploitable by unauthenticated attackers (PR:N) with low attack complexity (AC:L) and no user interaction required (UI:N), carrying a CVSS 3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). Exploitation can result in limited impacts to confidentiality, integrity, and availability.
Advisories and details are documented on VulDB (ctiid.299878, id.299878, submit.515872), the vendor site at phpgurukul.com, and a GitHub issue at github.com/aionman/cve/issues/2. The exploit has been publicly disclosed and may be used.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Unauthenticated SQL injection in public-facing web application (/create-pass.php) enables exploitation of public-facing applications (T1190), arbitrary database queries for data collection (T1213.006), and data tampering/deletion (T1565.001).